Loading...

XML

Word

Printable

JSON

Type: Improvement
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 2.6.0
Affects Version/s: 2.5
Component/s: Security
Labels:
None

Epic Link:
FIPS mode
Confidence Status:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Link:
None
Goal Name(s):
None

The implementation of PasswordEvidence uses SHA256Managed and SHA256Managed is not FIPS compliant.

In fact, PasswordEvidence doesn't need to use SHA256 at all. It is only used as an optimization for the Equals method, to avoid having to decrypt the SecureString to compare two passwords.

Equals should be implemented in such a way that two PasswordEvidence instances can be compared without using a non-FIPS compliant method.

related to

CSHARP-1331 Use of SHA256Managed is not FIPS compliant.

Closed

Assignee:: Robert Stam
Reporter:: Robert Stam
Votes:: 1 Vote for this issue
Watchers:: 3 Start watching this issue

Created:: Jan 31 2018 09:53:11 PM UTC
Updated:: Oct 28 2023 11:49:09 AM UTC
Resolved:: Feb 21 2018 03:37:27 PM UTC
Confidence Status Last Update:: 14/Feb/18 4:57 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates